Re: emergency outage requiring database restart

On 11/2/16 11:45 AM, Oskari Saarenmaa wrote:
> 26.10.2016, 21:34, Andres Freund kirjoitti:
>> Any chance that plsh or the script it executes does anything with the file descriptors it inherits? That'd certainly one way to get into odd corruption issues.
>>
>> We processor really should use O_CLOEXEC for the majority of it file handles.
>
> Attached a patch to always use O_CLOEXEC in BasicOpenFile if we're not
> using EXEC_BACKEND. It'd be nice to not expose all fds to most
> pl-languages either, but I guess there's no easy solution to that
> without forcibly closing all fds whenever any functions are called.

It seems like everyone was generally in favor of this. I looked around
the internet for caveats but everyone was basically saying, you should
definitely do this.

Why not for EXEC_BACKEND?

O_CLOEXEC is a newer interface. There are older systems that don't have
it but have FD_CLOEXEC for fcntl(). We should use that as a fallback.

Have you gone through the code and checked for other ways file
descriptors might get opened? Here is a blog posts that lists some
candidates: http://udrepper.livejournal.com/20407.html

Ideally, we would have a test case that exec's something that lists the
open file descriptors, and we check that there are only those we expect.

The comment "We don't expect execve() calls inside the postgres code" is
not quite correct, as we do things like archive_command and COPY to
program (see OpenPipeStream()).

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services